To better support the Security Validation user community and to enhance the capabilities of the platform, you can create new Actions, Sequences, and Evaluations. You can create File Transfer and Email Actions from the File Library, but other Action types must be created from the Action Library. Sequences and Evaluations are often created by selecting Actions from the Action Library and adding them to the Action Queue. However, you can also clone existing security content and create Sequences & Evaluations from a file.
The Action Queue allows you to select a group of content from the library and then work with them to build Sequences, Evaluations, or just run the group immediately without saving it. The Action Queue is also used when you create a copy of an existing Sequence or Evaluation.
To support quick testing, after you save the new Action, the Action Library appears with the new Action selected. The Job results page for the Action also includes an edit option, letting you open the Action to make additional changes.
Actions have versions and modified dates, which are updated differently based on the type of Action:
- User-created or imported Actions: The version and modified date updates when you modify the Action tags, dimensions, and Action details.
- Validation Platform Actions: The version and modified date only update when the Security Validation team provides a new version of the Action.
Everyone who has a Validation License and the correct user permissions can create the following Action Types:
- Captive DNS Queries
- Captive IOC - PCAP
- Captive IOC - URL
- Cloud
- From PCAP
- Host CLI
- Protected Theater (a form of Host CLI Actions)
- Malicious DNS Query
- Socket
- TCP Port Scan
- Web
- File Transfer
Everyone can also create Sequences and Evaluations.
Host-Filled User Tags While Running Bulk Jobs
Security Validation includes host-filled user tags for Bulk Jobs, just like single Jobs. You can add user tags when running Actions, Sequences, or Evaluations in bulk.
User tag inputs are only present if a group within a Bulk Job has a host_cli_action that needs these tags. Otherwise, the web interface displays Actor Tags as input.
The following screenshot shows user tags to Run Bulk Evaluation. Host CLI - MIMIKATZ (2.1.1), Variant #1 and Host CLI - MIMIKATZ (2.1.1) W/ String Change and UPX are the two user tags.
Run Bulk Evaluation
All Actors sharing the specified tags receive the same user tag values. Separate Bulk Jobs with more refined tags are necessary if individual Actors require distinct user tag values.